Hi
I have had 2 GRE/IPSEC tunnels working OK between a Mikrotik router and a 2 Cisco routers but since we recently updated the Mikrotik router to V6.29.1 the tunnels seem to keep dropping out after a few hours.
I have tried LOTS of different config but can not seem to fix this one.
Could someone advise me on how to fix this?
I don’t mind sharing my current config or any debugs (just let me know the commands I need to run on the Mikrotik and I will post the config)
Thanks in advance.
Steve
I had a similar problem between Mikrotik and Cisco a year ago, didn’t find a solution but found a good workaround.
Mine would drop out about 8 times a day. The Cisco sends a ‘delete’ packet indicating the IPSec tunnel should be dropped after some time of being idle. (this is normal as it gets reestablished automatically when a packet matches a policy). Or if you manage both devices, you can try and set the lifetime higher.
However, for my issue, Mikrotik would correctly remove the Remote Peer but no the installed security associations (SAs). Thus Mikrotik would continue using the expired SAs.
I set the script below to run every 3 seconds, if there are no remote peers, then flush the installed-sa’s. The ping part of the script would simply trigger the policy so the device would re-establish the IPSec.
if ([:len [/ip ipsec remote-peers print as-value]] = 0) do={/ip ipsec installed-sa flush; /ping interface=bridge-local 192.168.95.1 count=1; :log info “Reset IPSec Connection”};
I’ve done IPSec with other Mikrotiks and SonicWalls, doing it with the Cisco is the only one that I had this issue with.
I have such problems as well but they are not due to inactivity.
I have an IPsec VPN (just a normal ESP tunnel, no GRE) to a Cisco and it transports a regular ping. It drops out
after a couple of hours, stays down a few minutes, then comes back up. I can trigger it to come back immediately
by deleting and reinstalling the sa on the Cisco side.
Other similarly configured VPN links to Linux machines running racoon have no such issue, and before I have had
the same tunnel to the same Cisco both on Linux using racoon and on a Draytek router, also no such problem.
But, I remember that in the past, on older Linux versions and also older Cisco IOS, I had exactly the same issue.
Right now I am also trying to find if it can be worked around, e.g. by playing with the lifetime settings, enabling
DPD on the Cisco side (was off), etc. But I have not achieved success yet (for the DPD I have no testresult yet).
It appears to be an issue not uncommon to IPsec. But I had not seen it for a while. Maybe the racoon version used
in the Mikrotik (does it use racoon? or openswan?) is oldish?
Simple scripts like the above are not suitable here as I have 5 different VPNs so it will need to work with each of
them separately (in this case probably only with the Cisco peer).
I have been trying different workarounds but still have not found one that works.
Steve, do you experience permanent dropouts or will the tunnel come back by itself after some time?
(in my case, it does)
I am looking for a solution that keeps it up all the time, not some fixup that detects a problem and recovers it some time
later. And I know that is possible because it has worked for a long time on other routers and software.
Configuring DPD in the Cisco made no difference at all, still dropouts at irregular intervals, that recover after a few minutes.
(not completely irregular, but a multiple of the lifetime that has been set to 1 hour)
Jun 10 00:40:35 autom pingtime[8335]: ping failure vpn241
Jun 10 00:49:08 autom pingtime[8335]: ping reply OK vpn241
Jun 10 05:28:44 autom pingtime[8335]: ping failure vpn241
Jun 10 05:34:03 autom pingtime[8335]: ping reply OK vpn241
Jun 10 10:16:55 autom pingtime[8335]: ping failure vpn241
Jun 10 10:23:21 autom pingtime[8335]: ping reply OK vpn241
Jun 10 14:17:07 autom pingtime[8335]: ping failure vpn241
Jun 10 14:19:12 autom pingtime[8335]: ping reply OK vpn241
Jun 10 19:05:17 autom pingtime[8335]: ping failure vpn241
Jun 10 19:08:27 autom pingtime[8335]: ping reply OK vpn241
Jun 10 23:53:28 autom pingtime[8335]: ping failure vpn241
Jun 10 23:54:28 autom pingtime[8335]: ping reply OK vpn241
Jun 11 04:41:39 autom pingtime[8335]: ping failure vpn241
Jun 11 04:42:39 autom pingtime[8335]: ping reply OK vpn241
Jun 11 09:29:50 autom pingtime[8335]: ping failure vpn241
Jun 11 09:33:00 autom pingtime[8335]: ping reply OK vpn241
Jun 11 14:18:01 autom pingtime[8335]: ping failure vpn241
Jun 11 14:22:16 autom pingtime[8335]: ping reply OK vpn241
Jun 11 19:06:12 autom pingtime[8335]: ping failure vpn241
Jun 11 19:14:46 autom pingtime[8335]: ping reply OK vpn241
Jun 11 23:06:23 autom pingtime[8335]: ping failure vpn241
Jun 11 23:07:23 autom pingtime[8335]: ping reply OK vpn241
Jun 12 03:54:34 autom pingtime[8335]: ping failure vpn241
Jun 12 03:55:33 autom pingtime[8335]: ping reply OK vpn241
Jun 12 08:42:45 autom pingtime[8335]: ping failure vpn241
Jun 12 08:46:59 autom pingtime[8335]: ping reply OK vpn241
Jun 12 13:30:55 autom pingtime[8335]: ping failure vpn241
Jun 12 13:36:15 autom pingtime[8335]: ping reply OK vpn241
Jun 12 18:19:16 autom pingtime[8335]: ping failure vpn241
Jun 12 18:26:44 autom pingtime[8335]: ping reply OK vpn241
Jun 12 23:07:28 autom pingtime[8335]: ping failure vpn241
Jun 12 23:16:01 autom pingtime[8335]: ping reply OK vpn241
Jun 13 03:07:39 autom pingtime[8335]: ping failure vpn241
Jun 13 03:09:43 autom pingtime[8335]: ping reply OK vpn241
Jun 13 07:55:50 autom pingtime[8335]: ping failure vpn241
Jun 13 07:57:54 autom pingtime[8335]: ping reply OK vpn241
Unfortunately with lots of experiments I still have not achieved a stable result.
The connection keeps dropping at irregular intervals, to be re-established a few minutes later.
Is it impossible to make a reliable IPsec connection between Cisco and MikroTik?
I remember these issues with Linux IPsec from years ago, but on regular Linux systems they have been fixed.
Maybe MikroTik has missed some critical patch in the software that is being used?